Abstract. The application of model-checking tools to complex systems involves a nontrivial step of modelling the system by a finite-state model and a translation of the desired properties into a formal specification. While a positive answer of the model checker guarantees that the model satisfies the specification, correctness of the modelling is not checked. Vacuity detection is a successful approach for finding modelling errors that cause the satisfaction of the specification to be trivial. For example, the specification “every request is eventually followed by a grant ” is satisfied vacuously in models in which requests are never sent. In general, a specification ϕ is satisfied vacuously in a model M if ϕ has a subformula ψ that does not affect the satisfaction of ϕ in M, where “does not affect ” means we can replace ψ by a universally quantified proposition. Previous works focus on temporal logics such as LTL, CTL, and CTL ∗ , and reduce vacuity detection to standard model checking. A major feature of recent industrial property-specification languages is their regular layer, which includes regular expressions and formulas constructed from regular

Abstract. In this paper we introduce a variant of temporal logic tailored for specifying desired properties of continuous signals. The logic is based on a bounded subset of the real-time logic MITL, augmented with a static mapping from continuous domains into propositions. From formulae in this logic we create automatically property monitors that can check whether a given signal of bounded length and finite variability satisfies the property. A prototype implementation of this procedure was used to check properties of simulation traces generated by Matlab/Simulink. 1

Abstract. Tracechecks are a formalism based on linear temporal logic (LTL) with variable bindings and pointcuts of the aspect-oriented language AspectJ for the purpose of verification. We demonstrate how tracechecks can be used to model temporal assertions. These assertions reason about the dynamic control flow of an application. They can be used to formally define the semantic interface of classes. We explain in detail how we make use of AspectJ pointcuts to derive a formal model of an existing application and use LTL to express temporal assertions over this model. We developed a reference implementation with the abc compiler showing that the tool can be applied in practice and is memory-efficient. In addition we show how tracechecks can be deployed as Java5 annotations, yielding a system which is fully compliant with any Java compiler and hiding any peculiarities of aspect-oriented programming from the user. Through annotations, the tracecheck specifications become a semantic part of an interface. Consumers of such a component can then take advantage of the contained annotations by applying our tool and have their use of this component automatically checked at runtime for compliance with the intent of the component provider. 1

There are several algorithms for producing the canonical DFA from a given NFA. While the theoretical complexities of these algorithms are known, there has not been a systematic empirical comparison between them. In this work we propose a probabilistic framework for testing the performance of automatatheoretic algorithms. We conduct a direct experimental comparison between Hopcroft 's and Brzozowski's algorithms. We show that while Hopcroft's algorithm has better overall performance, Brzozowski's algorithm performs better for "highdensity " NFA. We also consider the universality problem, which is traditionally solved explicitly via the subset construction. We propose an encoding that allows this problem to be solved symbolically via a model-checker. We compare the performance of this approach to that of the standard explicit algorithm, and show that the explicit approach performs significantly better.

There has been a major emphasis recently in the semiconductor industry on designing industrial-strength property specification languages. Two major languages are ForSpec and Sugar 2.0, which are both extensions of Pnueli's LTL. Both

Abstract. One of the advantages of temporal-logic model-checking tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the system. On the other hand, when the answer to the correctness query is positive, most model-checking tools provide no additional information. In the last few years there has been growing awareness to the importance of suspecting the system or the specification of containing an error also in the case model checking succeeds. The main justification of such suspects are possible errors in the modeling of the system or of the specification. The goal of sanity checks is to detect such errors by further automatic reasoning. Two leading sanity checks are vacuity and coverage. In vacuity, the goal is to detect cases where the system satisfies the specification in some unintended trivial way. In coverage, the goal is to increase the exhaustiveness of the specification by detecting components of the system that do not play a role in verification process. For both checks, the challenge is to define vacuity and coverage formally, develop algorithms for detecting vacuous satisfaction and low coverage, and suggest methods for returning to the user helpful information. We survey existing work on vacuity and coverage and argue that, in many aspects, the two checks are essentially the same: both are based on repeating the verification process on some mutant input. In vacuity, mutations are in the specifications, whereas in coverage, mutations are in the system. This observation enables us to adopt work done in the context of vacuity to coverage, and vise versa. 1

Abstract. SOA has influenced business process modeling and management. Recent business process models have elevated data representation to the same level as control flows, for example, the artifact-centric business process models allow the life cycle properties of artifacts (data objects) to be specified and analyzed. In this paper, we develop a specification language ABSL based on computation tree logic for artifact life cycle behaviors (e.g., reachability). We show that given a business model and starting configuration, it can be decided if an ABSL sentence is satisfied when the domains are bounded, and if an ABSL-core (sublanguage of ABSL) sentence is satisfied when the domains are totally ordered but unbounded. We also show that if the starting configuration is not given, ABSL(-core) is still decidable if the number of artifacts is bounded with bounded (resp. unbounded but ordered) domains. 1

High-performance hardware designs often intersperse combinational logic freely between levelsensitive latch layers (wherein each layer is transparent during only one clock phase), rather than utilizing master-slave latch pairs with no combinational logic between. While such designs may generally achieve much faster clock speeds, this design style poses a challenge to verification. In particular, unless the k-phase netlist N is abstracted to a full-cycle register-based netlist N', verification of N requires k times (or greater) as many state variables as would be necessary to obtain equivalent verification of N'. We present algorithms to automatically identify and abstract k-phase netlists—i.e., to perform phase abstraction—by selectively eliminating latches. The abstraction is valid for model checking CTL∗ formulae which reason solely about latches of a single phase. This algorithm has been implemented in the model checker RuleBase, and used to enhance the model checking of IBM’s Gigahertz Processor, which would not have been feasible otherwise due to computational constraints. This abstraction has furthermore allowed verification engineers to write properties and environments more efficiently.

Abstract. The Accellera standards-promoting organisation has selected Sugar 2.0, IBM’s formal specification language, as a standard that it says will drive assertion-based verification. Sugar 2.0 combines aspects of Interval Temporal Logic (ITL), Linear Temporal Logic (LTL) and Computation Tree Logic (CTL) into a property language suitable for both formal verification and use with simulation test benchs. As industrial strength languages go it is remarkably elegant, consisting of a small kernel conservatively extended by numerous definitions. We are constructing a semantic embedding of Sugar 2.0 in the version of higher order logic supported by the HOL system. To ‘sanity check ’ the semantics we tried to prove some simple properties and as a result a few bugs were discovered. Further analysis may well reveal more. We are contemplating a variety of applications of the mechanised semantics, including the exploitation of existing work to build a Sugar model checker inside HOL. In the longer term we want to investigate the use

This paper describes an experience in the application of the RuleBase model checker to software written in C, using the tool c2edl.